formbook

General

Target

Formbook.exe
Size

177KB
Sample

241011-jmtn5asfrg
MD5

325e9bc40c665d845e9edd875631ec48
SHA1

6f325ce61e9d8916cced15919cbd84fce584e14f
SHA256

c3b9bd6a3c03e763f6255c275cbb3a068de6feef7417d18b7a3e92c6b28753e5
SHA512

02760fc7cd93075f8fdb35e0a87dfee062c718fe03a28408da6a03d37eb6e39a3388c0c01611cee8d28422b930346c92f4242538a29daa8ad0a3b5cdf8d69dc4
SSDEEP

3072:FamFfATiz/CDWALN/Prl8QCUaIUZt/nmYVo+jVMDlMUqc:TJpCnN/58HUaIUZAA/jVMDXq

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

t65q

Decoy

0oaArVDIAeJVRaUXOQ==

LNDb+polOuZWRaUXOQ==

JtmsCzRHeEwzeL2B

vnqa1XjmKA+FvOMtYjCfpA==

PObZY38RZFy5hI+UBU5z

HMWF1duWpoWGMkD8jx65AUXSWw==

q1a4x9u/45pUzx7JtUw=

eiBXszdDjIicMZGUBU5z

2ZGTqUfi76hl6hgZwPHQTHU4

yXEFKTk2ZFqpgJhtW7TlCzU88p5IsBE=

4pKcIzzkIudWRaUXOQ==

DLJZgItne1U4t/oxYjCfpA==

Gtx+wM18vK+EJGWUjf7cib+389qAog==

AZhvu+juGvcbvwuGswJ7

Is51z+aNxKdZxgvJaaSc0TM5Ondl

/J5wws+U0rZJfqUJYjCfpA==

rYz0dRg7cEwzeL2B

ZQN98UzJR6VFhog=

bSdHfxuEokkzeL2B

/5w7hZ1okomXNpqMv1s=

Targets

- Target
  
  Formbook.exe
- Size
  
  177KB
- MD5
  
  325e9bc40c665d845e9edd875631ec48
- SHA1
  
  6f325ce61e9d8916cced15919cbd84fce584e14f
- SHA256
  
  c3b9bd6a3c03e763f6255c275cbb3a068de6feef7417d18b7a3e92c6b28753e5
- SHA512
  
  02760fc7cd93075f8fdb35e0a87dfee062c718fe03a28408da6a03d37eb6e39a3388c0c01611cee8d28422b930346c92f4242538a29daa8ad0a3b5cdf8d69dc4
- SSDEEP
  
  3072:FamFfATiz/CDWALN/Prl8QCUaIUZt/nmYVo+jVMDlMUqc:TJpCnN/58HUaIUZAA/jVMDXq
Score

10^/10

formbook xloader t65q discovery loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

Xloader payload

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2